OpenBSD-4.6/kerberosV/src/lib/gssapi/ChangeLog
2005-12-01 Love Hörnquist Åstrand <lha@it.su.se>
* acquire_cred.c: 1.27: (acquire_acceptor_cred): only check if
principal exists if we got called with principal as an argument.
1.26: (acquire_acceptor_cred): check that the acceptor exists in
the keytab before returning ok.
2005-05-30 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c (init_auth): honor ok-as-delegate if local
configuration approves
* gssapi_locl.h: prototype for _gss_check_compat
* compat.c: export check_compat as _gss_check_compat
2005-05-29 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
problems with system headerfiles that pollute the name space.
* accept_sec_context.c: Prefix Der_class with ASN1_C_ to avoid
problems with system headerfiles that pollute the name space.
2005-05-17 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c (init_auth): set
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED (for java compatibility),
also while here, use krb5_auth_con_addflags
2005-05-06 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.c (_gssapi_wrap_arcfour): fix calculating the encap
length. From: Tom Maher <tmaher@eecs.berkeley.edu>
2005-05-02 Dave Love <fx@gnu.org>
* test_cred.c (main): Call setprogname.
2005-04-27 Love Hörnquist Åstrand <lha@it.su.se>
* prefix all sequence symbols with _, they are not part of the
GSS-API api. By comment from Wynn Wilkes <wynnw@vintela.com>
2005-04-10 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c: break out the processing of the delegated
credential to a separate function to make error handling easier,
move the credential handling to after other setup is done
* test_sequence.c: make less verbose in case of success
* Makefile.am: add test_sequence to TESTS
2005-04-01 Love Hörnquist Åstrand <lha@it.su.se>
* 8003.c (gssapi_krb5_verify_8003_checksum): check that cksum
isn't NULL From: Nicolas Pouvesle <npouvesle@tenablesecurity.com>
2005-03-21 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: use $(LIB_roken)
2005-03-16 Love Hörnquist Åstrand <lha@it.su.se>
* display_status.c (gssapi_krb5_set_error_string): pass in the
krb5_context to krb5_free_error_string
2005-03-15 Love Hörnquist Åstrand <lha@it.su.se>
* display_status.c (gssapi_krb5_set_error_string): don't misuse
the krb5_get_error_string api
2005-03-01 Love Hörnquist Åstrand <lha@it.su.se>
* compat.c (_gss_DES3_get_mic_compat): don't unlock mutex
here. Bug reported by Stefan Metzmacher <metze@samba.org>
2005-02-21 Luke Howard <lukeh@padl.com>
* init_sec_context.c: don't call krb5_get_credentials() with
KRB5_TC_MATCH_KEYTYPE, it can lead to the credentials cache
growing indefinitely as no key is found with KEYTYPE_NULL
* compat.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG, it is
no longer used (however the mechListMIC behaviour is broken,
rfc2478bis support requires the code in the mechglue branch)
* init_sec_context.c: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
* gssapi.h: remove GSS_C_EXPECTING_MECH_LIST_MIC_FLAG
2005-01-05 Luke Howard <lukeh@padl.com>
* 8003.c: use symbolic name for checksum type
* accept_sec_context.c: allow client to indicate
that subkey should be used
* acquire_cred.c: plug leak
* get_mic.c: use gss_krb5_get_subkey() instead
of gss_krb5_get_{local,remote}key(), support
KEYTYPE_ARCFOUR_56
* gssapi_local.c: use gss_krb5_get_subkey(),
support KEYTYPE_ARCFOUR_56
* import_sec_context.c: plug leak
* unwrap.c: use gss_krb5_get_subkey(),
support KEYTYPE_ARCFOUR_56
* verify_mic.c: use gss_krb5_get_subkey(),
support KEYTYPE_ARCFOUR_56
* wrap.c: use gss_krb5_get_subkey(),
support KEYTYPE_ARCFOUR_56
2004-11-30 Love Hörnquist Åstrand <lha@it.su.se>
* inquire_cred.c: Reverse order of HEIMDAL_MUTEX_unlock and
gss_release_cred to avoid deadlock, from Luke Howard
<lukeh@padl.com>.
2004-09-06 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: gss_krb5_extract_authz_data_from_sec_context
was renamed to gsskrb5_extract_authz_data_from_sec_context
2004-08-07 Love Hörnquist Åstrand <lha@it.su.se>
* unwrap.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
* arcfour.c: mutex buglet, From: Luke Howard <lukeh@PADL.COM>
2004-05-06 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: spelling from Josef El-Rayes <josef@FreeBSD.org> while
here, write some text about the SPNEGO situation
2004-04-08 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: s/CTXAcceptorSubkey/CFXAcceptorSubkey/
2004-04-07 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.h: add GSS_C_EXPECTING_MECH_LIST_MIC_FLAG From: Luke
Howard <lukeh@padl.com>
* init_sec_context.c (spnego_reply): use
_gss_spnego_require_mechlist_mic to figure out if we need to check
MechListMIC; From: Luke Howard <lukeh@padl.com>
* accept_sec_context.c (send_accept): use
_gss_spnego_require_mechlist_mic to figure out if we need to send
MechListMIC; From: Luke Howard <lukeh@padl.com>
* gssapi_locl.h: add _gss_spnego_require_mechlist_mic
From: Luke Howard <lukeh@padl.com>
* compat.c: add _gss_spnego_require_mechlist_mic for compatibility
with MS SPNEGO, From: Luke Howard <lukeh@padl.com>
2004-04-05 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c (gsskrb5_is_cfx): krb5_keyblock->keytype is
an enctype, not keytype
* accept_sec_context.c: use ASN1_MALLOC_ENCODE
* init_sec_context.c: avoid the malloc loop and just allocate the
propper amount of data
* init_sec_context.c (spnego_initial): handle mech_token better
2004-03-19 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.h: add gss_krb5_get_tkt_flags
* Makefile.am: add ticket_flags.c
* ticket_flags.c: Get ticket-flags from acceptor ticket From: Luke
Howard <lukeh@PADL.COM>
* gss_acquire_cred.3: document gss_krb5_get_tkt_flags
2004-03-14 Love Hörnquist Åstrand <lha@it.su.se>
* acquire_cred.c (gss_acquire_cred): check usage before even
bothering to process it, add both keytab and initial tgt if
requested
* wrap.c: support cfx, try to handle acceptor asserted subkey
* unwrap.c: support cfx, try to handle acceptor asserted subkey
* verify_mic.c: support cfx
* get_mic.c: support cfx
* test_sequence.c: handle changed signature of
gssapi_msg_order_create
* import_sec_context.c: handle acceptor asserted subkey
* init_sec_context.c: handle acceptor asserted subkey
* accept_sec_context.c: handle acceptor asserted subkey
* sequence.c: add dummy use_64 argument to gssapi_msg_order_create
* gssapi_locl.h: add partial support for CFX
* Makefile.am (noinst_PROGRAMS) += test_cred
* test_cred.c: gssapi credential testing
* test_acquire_cred.c: fix comment
2004-03-07 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.h: drop structures for message formats, no longer used
* arcfour.c: comment describing message formats
* accept_sec_context.c (spnego_accept_sec_context): make sure the
length of the choice element doesn't overrun us
* init_sec_context.c (spnego_reply): make sure the length of the
choice element doesn't overrun us
* spnego.asn1: move NegotiationToken to avoid warning
* spnego.asn1: uncomment NegotiationToken
* Makefile.am: spnego_files += asn1_NegotiationToken.x
2004-01-25 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.h: add gss_krb5_ccache_name
* Makefile.am (libgssapi_la_SOURCES): += ccache_name.c
* ccache_name.c (gss_krb5_ccache_name): help function enable to
set krb5 name, using out_name argument makes function no longer
thread-safe
* gssapi.3: add missing gss_krb5_ references
* gss_acquire_cred.3: document gss_krb5_ccache_name
2003-12-12 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: make rrc a modulus operation if its longer then the
length of the message, noticed by Sam Hartman
2003-12-07 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c: use krb5_auth_con_addflags
2003-12-05 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: Wrap token id was in wrong order, found by Sam Hartman
2003-12-04 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: add AcceptorSubkey (but no code understand it yet) ignore
unknown token flags
2003-11-22 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c: Don't require timestamp to be set on
delegated token, its already protected by the outer token (and
windows doesn't alway send it) Pointed out by Zi-Bin Yang
<zbyang@decru.com> on heimdal-discuss
2003-11-14 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: fix {} error, pointed out by Liqiang Zhu
2003-11-10 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: Sequence number should be stored in bigendian order From:
Luke Howard <lukeh@padl.com>
2003-11-09 Love Hörnquist Åstrand <lha@it.su.se>
* delete_sec_context.c (gss_delete_sec_context): don't free
ticket, krb5_free_ticket does that now
2003-11-06 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: checksum the header last in MIC token, update to -03
From: Luke Howard <lukeh@padl.com>
2003-10-07 Love Hörnquist Åstrand <lha@it.su.se>
* add_cred.c: If its a MEMORY cc, make a copy. We need to do this
since now gss_release_cred will destroy the cred. This should be
really be solved a better way.
* acquire_cred.c (gss_release_cred): if its a mcc, destroy it
rather the just release it Found by: "Zi-Bin Yang"
<zbyang@decru.com>
* acquire_cred.c (acquire_initiator_cred): use kret instead of ret
where appropriate
2003-09-30 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: spelling
From: jmc <jmc@prioris.mini.pw.edu.pl>
2003-09-23 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: - EC and RRC are big-endian, not little-endian - The
default is now to rotate regardless of GSS_C_DCE_STYLE. There are
no longer any references to GSS_C_DCE_STYLE. - rrc_rotate()
avoids allocating memory on the heap if rrc <= 256
From: Luke Howard <lukeh@padl.com>
2003-09-22 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.[ch]: rrc_rotate() was untested and broken, fix it.
Set and verify wrap Token->Filler.
Correct token ID for wrap tokens,
were accidentally swapped with delete tokens.
From: Luke Howard <lukeh@PADL.COM>
2003-09-21 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.[ch]: no ASN.1-ish header on per-message tokens
From: Luke Howard <lukeh@PADL.COM>
2003-09-19 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.h: remove depenency on gss_arcfour_mic_token and
gss_arcfour_warp_token
* arcfour.c: remove depenency on gss_arcfour_mic_token and
gss_arcfour_warp_token
2003-09-18 Love Hörnquist Åstrand <lha@it.su.se>
* 8003.c: remove #if 0'ed code
2003-09-17 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c (gsskrb5_accept_sec_context): set sequence
number when not requesting mutual auth From: Luke Howard
<lukeh@PADL.COM>
* init_sec_context.c (init_auth): set sequence number when not
requesting mutual auth From: Luke Howard <lukeh@PADL.COM>
2003-09-16 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.c (*): set minor_status
(gss_wrap): set conf_state to conf_req_flags on success
From: Luke Howard <lukeh@PADL.COM>
* wrap.c (gss_wrap_size_limit): use existing function From: Luke
Howard <lukeh@PADL.COM>
2003-09-12 Love Hörnquist Åstrand <lha@it.su.se>
* indicate_mechs.c (gss_indicate_mechs): in case of error, free
mech_set
* indicate_mechs.c (gss_indicate_mechs): add SPNEGO
2003-09-10 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c (spnego_initial): catch errors and return
them
* init_sec_context.c (spnego_initial): add #if 0 out version of
the CHOICE branch encoding, also where here, free no longer used
memory
2003-09-09 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: support GSS_SPNEGO_MECHANISM
* accept_sec_context.c: SPNEGO doesn't include gss wrapping on
SubsequentContextToken like the Kerberos 5 mech does.
* init_sec_context.c (spnego_reply): SPNEGO doesn't include gss
wrapping on SubsequentContextToken like the Kerberos 5 mech
does. Lets check for it anyway.
* accept_sec_context.c: Add support for SPNEGO on the initator
side. Implementation initially from Assar Westerlund, passes
though quite a lot of hands before I commited it.
* init_sec_context.c: Add support for SPNEGO on the initator side.
Tested with ldap server on a Windows 2000 DC. Implementation
initially from Assar Westerlund, passes though quite a lot of
hands before I commited it.
* gssapi.h: export GSS_SPNEGO_MECHANISM
* gssapi_locl.h: include spnego_as.h add prototype for
gssapi_krb5_get_mech
* decapsulate.c (gssapi_krb5_get_mech): make non static
* Makefile.am: build SPNEGO file
2003-09-08 Love Hörnquist Åstrand <lha@it.su.se>
* external.c: SPENGO and IAKERB oids
* spnego.asn1: SPENGO ASN1
2003-09-05 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.c: RRC also need to be zero before wraping them
From: Luke Howard <lukeh@PADL.COM>
2003-09-04 Love Hörnquist Åstrand <lha@it.su.se>
* encapsulate.c (gssapi_krb5_encap_length): don't return void
2003-09-03 Love Hörnquist Åstrand <lha@it.su.se>
* verify_mic.c: switch from the des_ to the DES_ api
* get_mic.c: switch from the des_ to the DES_ api
* unwrap.c: switch from the des_ to the DES_ api
* wrap.c: switch from the des_ to the DES_ api
* cfx.c: EC is not included in the checksum since the length might
change depending on the data. From: Luke Howard <lukeh@PADL.COM>
* acquire_cred.c: use
krb5_get_init_creds_opt_alloc/krb5_get_init_creds_opt_free
2003-09-01 Love Hörnquist Åstrand <lha@it.su.se>
* copy_ccache.c: rename
gss_krb5_extract_authz_data_from_sec_context to
gsskrb5_extract_authz_data_from_sec_context
* gssapi.h: rename gss_krb5_extract_authz_data_from_sec_context to
gsskrb5_extract_authz_data_from_sec_context
2003-08-31 Love Hörnquist Åstrand <lha@it.su.se>
* copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
check that we have a ticket before we start to use it
* gss_acquire_cred.3: document
gss_krb5_extract_authz_data_from_sec_context
* gssapi.h (gss_krb5_extract_authz_data_from_sec_context):
return the kerberos authorizationdata, from idea of Luke Howard
* copy_ccache.c (gss_krb5_extract_authz_data_from_sec_context):
return the kerberos authorizationdata, from idea of Luke Howard
* verify_mic.c (gss_verify_mic_internal): switch type and key
argument
2003-08-30 Love Hörnquist Åstrand <lha@it.su.se>
* cfx.[ch]: draft-ietf-krb-wg-gssapi-cfx-01.txt implemetation
From: Luke Howard <lukeh@PADL.COM>
2003-08-28 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.c (arcfour_mic_cksum): use free_Checksum to free the
checksum
* arcfour.h: swap two last arguments to verify_mic for consistency
with des3
* wrap.c,unwrap.c,get_mic.c,verify_mic.c,cfx.c,cfx.h:
prefix cfx symbols with _gssapi_
* arcfour.c: release the right buffer
* arcfour.c: rename token structure in consistency with rest of
GSS-API From: Luke Howard <lukeh@PADL.COM>
* unwrap.c (unwrap_des3): use _gssapi_verify_pad
(unwrap_des): use _gssapi_verify_pad
* arcfour.c (_gssapi_wrap_arcfour): set the correct padding
(_gssapi_unwrap_arcfour): verify and strip padding
* gssapi_locl.h: added _gssapi_verify_pad
* decapsulate.c (_gssapi_verify_pad): verify padding of a gss
wrapped message and return its length
* arcfour.c: support KEYTYPE_ARCFOUR_56 keys, from Luke Howard
<lukeh@PADL.COM>
* arcfour.c: use right seal alg, inherit keytype from parent key
* arcfour.c: include the confounder in the checksum use the right
key usage number for warped/unwraped tokens
* gssapi.h: add gss_krb5_nt_general_name as an mit compat glue
(same as GSS_KRB5_NT_PRINCIPAL_NAME)
* unwrap.c: hook in arcfour unwrap
* wrap.c: hook in arcfour wrap
* verify_mic.c: hook in arcfour verify_mic
* get_mic.c: hook in arcfour get_mic
* arcfour.c: implement wrap/unwarp
* gssapi_locl.h: add gssapi_{en,de}code_be_om_uint32
* 8003.c: add gssapi_{en,de}code_be_om_uint32
2003-08-27 Love Hörnquist Åstrand <lha@it.su.se>
* arcfour.c (_gssapi_verify_mic_arcfour): Do the checksum on right
area. Swap filler check, it was reversed.
* Makefile.am (libgssapi_la_SOURCES): += arcfour.c
* gssapi_locl.h: include "arcfour.h"
* arcfour.c: arcfour gss-api mech, get_mic/verify_mic working
* arcfour.h: arcfour gss-api mech, get_mic/verify_mic working
2003-08-26 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi_locl.h: always include cfx.h add prototype for
_gssapi_decapsulate
* cfx.[ch]: Implementation of draft-ietf-krb-wg-gssapi-cfx-00.txt
from Luke Howard <lukeh@PADL.COM>
* decapsulate.c: add _gssapi_decapsulate, from Luke Howard
<lukeh@PADL.COM>
2003-08-25 Love Hörnquist Åstrand <lha@it.su.se>
* unwrap.c: encap/decap now takes a oid if the enctype/keytype is
arcfour, return error add hook for cfx
* verify_mic.c: encap/decap now takes a oid if the enctype/keytype
is arcfour, return error add hook for cfx
* get_mic.c: encap/decap now takes a oid if the enctype/keytype is
arcfour, return error add hook for cfx
* accept_sec_context.c: encap/decap now takes a oid
* init_sec_context.c: encap/decap now takes a oid
* gssapi_locl.h: include cfx.h if we need it lifetime is a
OM_uint32, depend on gssapi interface add all new encap/decap
functions
* decapsulate.c: add decap functions that doesn't take the token
type also make all decap function take the oid mech that they
should use
* encapsulate.c: add encap functions that doesn't take the token
type also make all encap function take the oid mech that they
should use
* sequence.c (elem_insert): fix a off by one index counter
* inquire_cred.c (gss_inquire_cred): handle cred_handle beeing
GSS_C_NO_CREDENTIAL and use the default cred then.
2003-08-19 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: break out extensions and document
gsskrb5_register_acceptor_identity
2003-08-18 Love Hörnquist Åstrand <lha@it.su.se>
* test_acquire_cred.c (print_time): time is returned in seconds
from now, not unix time
2003-08-17 Love Hörnquist Åstrand <lha@it.su.se>
* compat.c (check_compat): avoid leaking principal when finding a
match
* address_to_krb5addr.c: sa_size argument to krb5_addr2sockaddr is
a krb5_socklen_t
* acquire_cred.c (gss_acquire_cred): 4th argument to
gss_test_oid_set_member is a int
2003-07-22 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c (repl_mutual): don't set kerberos error where
there was no kerberos error
* gssapi_locl.h: Add destruction/creation prototypes and structure
for the thread specific storage.
* display_status.c: use thread specific storage to set/get the
kerberos error message
* init.c: Provide locking around the creation of the global
krb5_context. Add destruction/creation functions for the thread
specific storage that the error string handling is using.
2003-07-20 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: add missing prototype and missing .Ft
arguments
2003-06-17 Love Hörnquist Åstrand <lha@it.su.se>
* verify_mic.c: reorder code so sequence numbers can can be used
* unwrap.c: reorder code so sequence numbers can can be used
* sequence.c: remove unused function, indent, add
gssapi_msg_order_f that filter gss flags to gss_msg_order flags
* gssapi_locl.h: prototypes for
gssapi_{encode_om_uint32,decode_om_uint32} add sequence number
verifier prototypes
* delete_sec_context.c: destroy sequence number verifier
* init_sec_context.c: remember to free data use sequence number
verifier
* accept_sec_context.c: don't clear output_token twice remember to
free data use sequence number verifier
* 8003.c: export and rename encode_om_uint32/decode_om_uint32 and
start to use them
2003-06-09 Johan Danielsson <joda@pdc.kth.se>
* Makefile.am: can't have sequence.c in two different places
2003-06-06 Love Hörnquist Åstrand <lha@it.su.se>
* test_sequence.c: check rollover, print summery
* wrap.c (sub_wrap_size): gss_wrap_size_limit() has
req_output_size and max_input_size around the wrong way -- it
returns the output token size for a given input size, rather than
the maximum input size for a given output token size.
From: Luke Howard <lukeh@PADL.COM>
2003-06-05 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi_locl.h: add prototypes for sequence.c
* Makefile.am (libgssapi_la_SOURCES): add sequence.c
(test_sequence): build
* sequence.c: sequence number checks, order and replay
* test_sequence.c: sequence number checks, order and replay
2003-06-03 Love Hörnquist Åstrand <lha@it.su.se>
* accept_sec_context.c (gss_accept_sec_context): make sure time is
returned in seconds from now, not in kerberos time
* acquire_cred.c (gss_aquire_cred): make sure time is returned in
seconds from now, not in kerberos time
* init_sec_context.c (init_auth): if the cred is expired before we
tries to create a token, fail so the peer doesn't need reject us
(*): make sure time is returned in seconds from now,
not in kerberos time
(repl_mutual): remember to unlock the context mutex
* context_time.c (gss_context_time): remove unused variable
* verify_mic.c: make sure minor_status is always set, pointed out
by Luke Howard <lukeh@PADL.COM>
2003-05-21 Love Hörnquist Åstrand <lha@it.su.se>
* *.[ch]: do some basic locking (no reference counting so contexts
can be removed while still used)
- don't export gss_ctx_id_t_desc_struct and gss_cred_id_t_desc_struct
- make sure all lifetime are returned in seconds left until expired,
not in unix epoch
* gss_acquire_cred.3: document argument lifetime_rec to function
gss_inquire_context
2003-05-17 Love Hörnquist Åstrand <lha@it.su.se>
* test_acquire_cred.c: test gss_add_cred more then once
2003-05-06 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.h: if __cplusplus, wrap the extern variable (just to be
safe) and functions in extern "C" { }
2003-04-30 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: more about the des3 mic mess
* verify_mic.c (verify_mic_des3): always check if the mic is the
correct mic or the mic that old heimdal would have generated
2003-04-28 Jacques Vidrine <nectar@kth.se>
* verify_mic.c (verify_mic_des3): If MIC verification fails,
retry using the `old' MIC computation (with zero IV).
2003-04-26 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: more about difference between comparing IN
and MN
* gss_acquire_cred.3: more about name type and access control
2003-04-25 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: document gss_context_time
* context_time.c: if lifetime of context have expired, set
time_rec to 0 and return GSS_S_CONTEXT_EXPIRED
* gssapi.3: document [gssapi]correct_des3_mic
[gssapi]broken_des3_mic
* gss_acquire_cred.3: document gss_krb5_compat_des3_mic
* compat.c (gss_krb5_compat_des3_mic): enable turning on/off des3
mic compat
(_gss_DES3_get_mic_compat): handle [gssapi]correct_des3_mic too
* gssapi.h (gss_krb5_compat_des3_mic): new function, turn on/off
des3 mic compat
(GSS_C_KRB5_COMPAT_DES3_MIC): cpp symbol that exists if
gss_krb5_compat_des3_mic exists
2003-04-24 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: (libgssapi_la_LDFLAGS): update major
version of gssapi for incompatiblity in 3des getmic support
2003-04-23 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: test_acquire_cred_LDADD: use libgssapi.la not
./libgssapi.la (make make -jN work)
2003-04-16 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: spelling
* gss_acquire_cred.3: Change .Fd #include <header.h> to .In
header.h, from Thomas Klausner <wiz@netbsd.org>
2003-04-06 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: spelling
* Makefile.am: remove stuff that sneaked in with last commit
* acquire_cred.c (acquire_initiator_cred): if the requested name
isn't in the ccache, also check keytab. Extact the krbtgt for the
default realm to check how long the credentials will last.
* add_cred.c (gss_add_cred): don't create a new ccache, just open
the old one; better check if output handle is compatible with new
(copied) handle
* test_acquire_cred.c: test gss_add_cred too
2003-04-03 Love Hörnquist Åstrand <lha@it.su.se>
* Makefile.am: build test_acquire_cred
* test_acquire_cred.c: simple gss_acquire_cred test
2003-04-02 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: s/gssapi/GSS-API/
2003-03-19 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: document v1 interface (and that they are
obsolete)
2003-03-18 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: list supported mechanism and nametypes
2003-03-16 Love Hörnquist Åstrand <lha@it.su.se>
* gss_acquire_cred.3: text about gss_display_name
* Makefile.am (libgssapi_la_LDFLAGS): bump to 3:6:2
(libgssapi_la_SOURCES): add all new functions
* gssapi.3: now that we have a functions, uncomment the missing
ones
* gss_acquire_cred.3: now that we have a functions, uncomment the
missing ones
* process_context_token.c: implement gss_process_context_token
* inquire_names_for_mech.c: implement gss_inquire_names_for_mech
* inquire_mechs_for_name.c: implement gss_inquire_mechs_for_name
* inquire_cred_by_mech.c: implement gss_inquire_cred_by_mech
* add_cred.c: implement gss_add_cred
* acquire_cred.c (gss_acquire_cred): more testing of input
argument, make sure output arguments are ok, since we don't know
the time_rec (for now), set it to time_req
* export_sec_context.c: send lifetime, also set minor_status
* get_mic.c: set minor_status
* import_sec_context.c (gss_import_sec_context): add error
checking, pick up lifetime (if there is no lifetime, use
GSS_C_INDEFINITE)
* init_sec_context.c: take care to set export value to something
sane before we start so caller will have harmless values in them
if then function fails
* release_buffer.c (gss_release_buffer): set minor_status
* wrap.c: make sure minor_status get set
* verify_mic.c (gss_verify_mic_internal): rename verify_mic to
gss_verify_mic_internal and let it take the type as an argument,
(gss_verify_mic): call gss_verify_mic_internal
set minor_status
* unwrap.c: set minor_status
* test_oid_set_member.c (gss_test_oid_set_member): use
gss_oid_equal
* release_oid_set.c (gss_release_oid_set): set minor_status
* release_name.c (gss_release_name): set minor_status
* release_cred.c (gss_release_cred): set minor_status
* add_oid_set_member.c (gss_add_oid_set_member): set minor_status
* compare_name.c (gss_compare_name): set minor_status
* compat.c (check_compat): make sure ret have a defined value
* context_time.c (gss_context_time): set minor_status
* copy_ccache.c (gss_krb5_copy_ccache): set minor_status
* create_emtpy_oid_set.c (gss_create_empty_oid_set): set
minor_status
* delete_sec_context.c (gss_delete_sec_context): set minor_status
* display_name.c (gss_display_name): set minor_status
* display_status.c (gss_display_status): use gss_oid_equal, handle
supplementary errors
* duplicate_name.c (gss_duplicate_name): set minor_status
* inquire_context.c (gss_inquire_context): set lifetime_rec now
when we know it, set minor_status
* inquire_cred.c (gss_inquire_cred): take care to set export value
to something sane before we start so caller will have harmless
values in them if the function fails
* accept_sec_context.c (gss_accept_sec_context): take care to set
export value to something sane before we start so caller will have
harmless values in them if then function fails, set lifetime from
ticket expiration date
* indicate_mechs.c (gss_indicate_mechs): use
gss_create_empty_oid_set and gss_add_oid_set_member
* gssapi.h (gss_ctx_id_t_desc): store the lifetime in the cred,
since there is no ticket transfered in the exported context
* export_name.c (gss_export_name): export name with
GSS_C_NT_EXPORT_NAME wrapping, not just the principal
* import_name.c (import_export_name): new function, parses a
GSS_C_NT_EXPORT_NAME
(import_krb5_name): factor out common code of parsing krb5 name
(gss_oid_equal): rename from oid_equal
* gssapi_locl.h: add prototypes for gss_oid_equal and
gss_verify_mic_internal
* gssapi.h: comment out the argument names
2003-03-15 Love Hörnquist Åstrand <lha@it.su.se>
* gssapi.3: add LIST OF FUNCTIONS and copyright/license
* Makefile.am: s/gss_aquire_cred.3/gss_acquire_cred.3/
* Makefile.am: man_MANS += gss_aquire_cred.3
2003-03-14 Love Hörnquist Åstrand <lha@it.su.se>
* gss_aquire_cred.3: the gssapi api manpage
2003-03-03 Love Hörnquist Åstrand <lha@it.su.se>
* inquire_context.c: (gss_inquire_context): rename argument open
to open_context
* gssapi.h (gss_inquire_context): rename argument open to open_context
2003-02-27 Love Hörnquist Åstrand <lha@it.su.se>
* init_sec_context.c (do_delegation): remove unused variable
subkey
* gssapi.3: all 0.5.x version had broken token delegation
2003-02-21 Love Hörnquist Åstrand <lha@it.su.se>
* (init_auth): only generate one subkey
2003-01-27 Love Hörnquist Åstrand <lha@it.su.se>
* verify_mic.c (verify_mic_des3): fix 3des verify_mic to conform
to rfc (and mit kerberos), provide backward compat hook
* get_mic.c (mic_des3): fix 3des get_mic to conform to rfc (and
mit kerberos), provide backward compat hook
* init_sec_context.c (init_auth): check if we need compat for
older get_mic/verify_mic
* gssapi_locl.h: add prototype for _gss_DES3_get_mic_compat
* gssapi.h (more_flags): add COMPAT_OLD_DES3
* Makefile.am: add gssapi.3 and compat.c
* gssapi.3: add gssapi COMPATIBILITY documentation
* accept_sec_context.c (gss_accept_sec_context): check if we need
compat for older get_mic/verify_mic
* compat.c: check for compatiblity with other heimdal's 3des
get_mic/verify_mic
2002-10-31 Johan Danielsson <joda@pdc.kth.se>
* check return value from gssapi_krb5_init
* 8003.c (gssapi_krb5_verify_8003_checksum): check size of input
2002-09-03 Johan Danielsson <joda@pdc.kth.se>
* wrap.c (wrap_des3): use ETYPE_DES3_CBC_NONE
* unwrap.c (unwrap_des3): use ETYPE_DES3_CBC_NONE
2002-09-02 Johan Danielsson <joda@pdc.kth.se>
* init_sec_context.c: we need to generate a local subkey here
2002-08-20 Jacques Vidrine <n@nectar.com>
* acquire_cred.c, inquire_cred.c, release_cred.c: Use default
credential resolution if gss_acquire_cred is called with
GSS_C_NO_NAME.
2002-06-20 Jacques Vidrine <n@nectar.com>
* import_name.c: Compare name types by value if pointers do
not match. Reported by: "Douglas E. Engert" <deengert@anl.gov>
2002-05-20 Jacques Vidrine <n@nectar.com>
* verify_mic.c (gss_verify_mic), unwrap.c (gss_unwrap): initialize
the qop_state parameter. from Doug Rabson <dfr@nlsystems.com>
2002-05-09 Jacques Vidrine <n@nectar.com>
* acquire_cred.c: handle GSS_C_INITIATE/GSS_C_ACCEPT/GSS_C_BOTH
2002-05-08 Jacques Vidrine <n@nectar.com>
* acquire_cred.c: initialize gssapi; handle null desired_name
2002-03-22 Johan Danielsson <joda@pdc.kth.se>
* Makefile.am: remove non-functional stuff accidentally committed
2002-03-11 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:5:2
* 8003.c (gssapi_krb5_verify_8003_checksum): handle zero channel
bindings
2001-10-31 Jacques Vidrine <n@nectar.com>
* get_mic.c (mic_des3): MIC computation using DES3/SHA1
was bogusly appending the message buffer to the result,
overwriting a heap buffer in the process.
2001-08-29 Assar Westerlund <assar@sics.se>
* 8003.c (gssapi_krb5_verify_8003_checksum,
gssapi_krb5_create_8003_checksum): make more consistent by always
returning an gssapi error and setting minor status. update
callers
2001-08-28 Jacques Vidrine <n@nectar.com>
* accept_sec_context.c: Create a cache for delegated credentials
when needed.
2001-08-28 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): set version to 3:4:2
2001-08-23 Assar Westerlund <assar@sics.se>
* *.c: handle minor_status more consistently
* display_status.c (gss_display_status): handle krb5_get_err_text
failing
2001-08-15 Johan Danielsson <joda@pdc.kth.se>
* gssapi_locl.h: fix prototype for gssapi_krb5_init
2001-08-13 Johan Danielsson <joda@pdc.kth.se>
* accept_sec_context.c (gsskrb5_register_acceptor_identity): init
context and check return value from kt_resolve
* init.c: return error code
2001-07-19 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): update to 3:3:2
2001-07-12 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LIBADD): add required library
dependencies
2001-07-06 Assar Westerlund <assar@sics.se>
* accept_sec_context.c (gsskrb5_register_acceptor_identity): set
the keytab to be used for gss_acquire_cred too'
2001-07-03 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): set version to 3:2:2
2001-06-18 Assar Westerlund <assar@sics.se>
* wrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
and gss_krb5_get_remotekey
* verify_mic.c: update krb5_auth_con function names use
gss_krb5_get_remotekey
* unwrap.c: replace gss_krb5_getsomekey with gss_krb5_get_localkey
and gss_krb5_get_remotekey
* gssapi_locl.h (gss_krb5_get_remotekey, gss_krb5_get_localkey):
add prototypes
* get_mic.c: update krb5_auth_con function names. use
gss_krb5_get_localkey
* accept_sec_context.c: update krb5_auth_con function names
2001-05-17 Assar Westerlund <assar@sics.se>
* Makefile.am: bump version to 3:1:2
2001-05-14 Assar Westerlund <assar@sics.se>
* address_to_krb5addr.c: adapt to new address functions
2001-05-11 Assar Westerlund <assar@sics.se>
* try to return the error string from libkrb5 where applicable
2001-05-08 Assar Westerlund <assar@sics.se>
* delete_sec_context.c (gss_delete_sec_context): remember to free
the memory used by the ticket itself. from <tmartin@mirapoint.com>
2001-05-04 Assar Westerlund <assar@sics.se>
* gssapi_locl.h: add config.h for completeness
* gssapi.h: remove config.h, this is an installed header file
sys/types.h is not needed either
2001-03-12 Assar Westerlund <assar@sics.se>
* acquire_cred.c (gss_acquire_cred): remove memory leaks. from
Jason R Thorpe <thorpej@zembu.com>
2001-02-18 Assar Westerlund <assar@sics.se>
* accept_sec_context.c (gss_accept_sec_context): either return
gss_name NULL-ed or set
* import_name.c: set minor_status in some cases where it was not
done
2001-02-15 Assar Westerlund <assar@sics.se>
* wrap.c: use krb5_generate_random_block for the confounders
2001-01-30 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): bump version to 3:0:2
* acquire_cred.c, init_sec_context.c, release_cred.c: add support
for getting creds from a keytab, from fvdl@netbsd.org
* copy_ccache.c: add gss_krb5_copy_ccache
2001-01-27 Assar Westerlund <assar@sics.se>
* get_mic.c: cast parameters to des function to non-const pointers
to handle the case where these functions actually take non-const
des_cblock *
2001-01-09 Assar Westerlund <assar@sics.se>
* accept_sec_context.c (gss_accept_sec_context): use krb5_rd_cred2
instead of krb5_rd_cred
2000-12-11 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:3:1
2000-12-08 Assar Westerlund <assar@sics.se>
* wrap.c (wrap_des3): use the checksum as ivec when encrypting the
sequence number
* unwrap.c (unwrap_des3): use the checksum as ivec when encrypting
the sequence number
* init_sec_context.c (init_auth): always zero fwd_data
2000-12-06 Johan Danielsson <joda@pdc.kth.se>
* accept_sec_context.c: de-pointerise auth_context parameter to
krb5_mk_rep
2000-11-15 Assar Westerlund <assar@sics.se>
* init_sec_context.c (init_auth): update to new
krb5_build_authenticator
2000-09-19 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): bump to 2:2:1
2000-08-27 Assar Westerlund <assar@sics.se>
* init_sec_context.c: actually pay attention to `time_req'
* init_sec_context.c: re-organize. leak less memory.
* gssapi_locl.h (gssapi_krb5_encapsulate, gss_krb5_getsomekey):
update prototypes add assert.h
* gssapi.h (GSS_KRB5_CONF_C_QOP_DES, GSS_KRB5_CONF_C_QOP_DES3_KD):
add
* verify_mic.c: re-organize and add 3DES code
* wrap.c: re-organize and add 3DES code
* unwrap.c: re-organize and add 3DES code
* get_mic.c: re-organize and add 3DES code
* encapsulate.c (gssapi_krb5_encapsulate): do not free `in_data',
let the caller do that. fix the callers.
2000-08-16 Assar Westerlund <assar@sics.se>
* Makefile.am: bump version to 2:1:1
2000-07-29 Assar Westerlund <assar@sics.se>
* decapsulate.c (gssapi_krb5_verify_header): sanity-check length
2000-07-25 Johan Danielsson <joda@pdc.kth.se>
* Makefile.am: bump version to 2:0:1
2000-07-22 Assar Westerlund <assar@sics.se>
* gssapi.h: update OID for GSS_C_NT_HOSTBASED_SERVICE and other
details from rfc2744
2000-06-29 Assar Westerlund <assar@sics.se>
* address_to_krb5addr.c (gss_address_to_krb5addr): actually use
`int' instead of `sa_family_t' for the address family.
2000-06-21 Assar Westerlund <assar@sics.se>
* add support for token delegation. From Daniel Kouril
<kouril@ics.muni.cz> and Miroslav Ruda <ruda@ics.muni.cz>
2000-05-15 Assar Westerlund <assar@sics.se>
* Makefile.am (libgssapi_la_LDFLAGS): set version to 1:1:1
2000-04-12 Assar Westerlund <assar@sics.se>
* release_oid_set.c (gss_release_oid_set): clear set for
robustness. From GOMBAS Gabor <gombasg@inf.elte.hu>
* release_name.c (gss_release_name): reset input_name for
robustness. From GOMBAS Gabor <gombasg@inf.elte.hu>
* release_buffer.c (gss_release_buffer): set value to NULL to be
more robust. From GOMBAS Gabor <gombasg@inf.elte.hu>
* add_oid_set_member.c (gss_add_oid_set_member): actually check if
the oid is a member first. leave the oid_set unchanged if realloc
fails.
2000-02-13 Assar Westerlund <assar@sics.se>
* Makefile.am: set version to 1:0:1
2000-02-12 Assar Westerlund <assar@sics.se>
* gssapi_locl.h: add flags for import/export
* import_sec_context.c (import_sec_context: add flags for what
fields are included. do not include the authenticator for now.
* export_sec_context.c (export_sec_context: add flags for what
fields are included. do not include the authenticator for now.
* accept_sec_context.c (gss_accept_sec_context): set target in
context_handle
2000-02-11 Assar Westerlund <assar@sics.se>
* delete_sec_context.c (gss_delete_sec_context): set context to
GSS_C_NO_CONTEXT
* Makefile.am: add {export,import}_sec_context.c
* export_sec_context.c: new file
* import_sec_context.c: new file
* accept_sec_context.c (gss_accept_sec_context): set trans flag
2000-02-07 Assar Westerlund <assar@sics.se>
* Makefile.am: set version to 0:5:0
2000-01-26 Assar Westerlund <assar@sics.se>
* delete_sec_context.c (gss_delete_sec_context): handle a NULL
output_token
* wrap.c: update to pseudo-standard APIs for md4,md5,sha. some
changes to libdes calls to make them more portable.
* verify_mic.c: update to pseudo-standard APIs for md4,md5,sha.
some changes to libdes calls to make them more portable.
* unwrap.c: update to pseudo-standard APIs for md4,md5,sha. some
changes to libdes calls to make them more portable.
* get_mic.c: update to pseudo-standard APIs for md4,md5,sha. some
changes to libdes calls to make them more portable.
* 8003.c: update to pseudo-standard APIs for md4,md5,sha.
2000-01-06 Assar Westerlund <assar@sics.se>
* Makefile.am: set version to 0:4:0
1999-12-26 Assar Westerlund <assar@sics.se>
* accept_sec_context.c (gss_accept_sec_context): always set
`output_token'
* init_sec_context.c (init_auth): always initialize `output_token'
* delete_sec_context.c (gss_delete_sec_context): always set
`output_token'
1999-12-06 Assar Westerlund <assar@sics.se>
* Makefile.am: bump version to 0:3:0
1999-10-20 Assar Westerlund <assar@sics.se>
* Makefile.am: set version to 0:2:0
1999-09-21 Assar Westerlund <assar@sics.se>
* init_sec_context.c (gss_init_sec_context): initialize `ticket'
* gssapi.h (gss_ctx_id_t_desc): add ticket in here. ick.
* delete_sec_context.c (gss_delete_sec_context): free ticket
* accept_sec_context.c (gss_accept_sec_context): stove away
`krb5_ticket' in context so that ugly programs such as
gss_nt_server can get at it. uck.
1999-09-20 Johan Danielsson <joda@pdc.kth.se>
* accept_sec_context.c: set minor_status
1999-08-04 Assar Westerlund <assar@sics.se>
* display_status.c (calling_error, routine_error): right shift the
code to make it possible to index into the arrays
1999-07-28 Assar Westerlund <assar@sics.se>
* gssapi.h (GSS_C_AF_INET6): add
* import_name.c (import_hostbased_name): set minor_status
1999-07-26 Assar Westerlund <assar@sics.se>
* Makefile.am: set version to 0:1:0
Wed Apr 7 14:05:15 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* display_status.c: set minor_status
* init_sec_context.c: set minor_status
* lib/gssapi/init.c: remove donep (check gssapi_krb5_context
directly)